From a1cdb441cf836ef4cb633bde8043aee4fb80416e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fr=C3=A8re=20S=C3=A9bastien=20Marie?= Date: Mon, 5 Dec 2011 10:11:46 +0100 Subject: [PATCH] Bug 3280 Restrict Send basket feature In order to prevent spamming using sendbasket.pl, some counter-measure are done: - permit send basket only for authenticated user - permit send basket only if basket contains items - use username & email for 'Reply-To' field (with fallback to KohaAdminEmailAddress) - add field X-Orig-IP with IP of sender - add field X-Abuse-Report with KohaAdminEmailAddress Note: we don't use forged 'To' address with patron email in order to prevent be marked as spam (by SPF for example). Signed-off-by: Marcel de Rooy Signed-off-by: Paul Poulain --- opac/opac-sendbasket.pl | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl index 7787217683..9b2484d218 100755 --- a/opac/opac-sendbasket.pl +++ b/opac/opac-sendbasket.pl @@ -54,11 +54,19 @@ my $email_sender = $query->param('email_sender'); my $dbh = C4::Context->dbh; if ( $email_add ) { + my $user = GetMember(borrowernumber => $borrowernumber); + my $user_email = GetFirstValidEmailAddress($borrowernumber) + || C4::Context->preference('KohaAdminEmailAddress'); + my $email_from = C4::Context->preference('KohaAdminEmailAddress'); + my $email_replyto = "$user->{firstname} $user->{surname} <$user_email>"; my $comment = $query->param('comment'); my %mail = ( To => $email_add, - From => $email_from + From => $email_from, + 'Reply-To' => $email_replyto, + 'X-Orig-IP' => $ENV{'REMOTE_ADDR'}, + 'X-Abuse-Report' => C4::Context->preference('KohaAdminEmailAddress'), ); my ( $template2, $borrowernumber, $cookie ) = get_template_and_user( @@ -66,7 +74,7 @@ if ( $email_add ) { template_name => "opac-sendbasket.tmpl", query => $query, type => "opac", - authnotrequired => 1, + authnotrequired => 0, flagsrequired => { borrow => 1 }, } ); @@ -106,8 +114,6 @@ if ( $email_add ) { my $resultsarray = \@results; - my $user = GetMember(borrowernumber => $borrowernumber); - $template2->param( BIBLIO_RESULTS => $resultsarray, email_sender => $email_sender, @@ -162,14 +168,15 @@ $isofile $boundary-- END_OF_BODY - # Sending mail - if ( sendmail %mail ) { - # do something if it works.... + # Sending mail (if not empty basket) + if ( defined($iso2709) && sendmail %mail ) { + # do something if it works.... $template->param( SENT => "1" ); } else { # do something if it doesnt work.... - carp "Error sending mail: $Mail::Sendmail::error \n"; + carp "Error sending mail: empty basket" if !defined($iso2709); + carp "Error sending mail: $Mail::Sendmail::error" if $Mail::Sendmail::error; $template->param( error => 1 ); } $template->param( email_add => $email_add ); -- 2.39.5